Electronic Permanence: Changing records and releases

On September 22, 2011, I attended a webinar sponsored by the Business Operations for Behavioral Health Collaborative, a SAMHSA-funded joint venture of the National Council for Community Behavioral Healthcare, the National Association of Community Health Centers, NIATx, and the State Associations of Addictions Services (SAAS). The topic of the webinar was Health Information Exchange and Behavioral Health.

This is an area that has interested and concerned me for quite a while. As developers of software for behavioral health providers, SOS has for years been monitoring developments in the arena of Health Information Exchange (HIE). This is the method by which Electronic Medical Record (EMR) software will exchange information among providers and healthcare organizations. The HIE is both the process of exchanging information and any repository of that information for easy access by those with rights to the data.

This is the bugaboo that has always bothered me as well as my colleagues in the behavioral health software trade association to which we belong (Software and Technology Vendors Association). SATVA members are committed to assuring that our products share information only as the law allows and as consumers wish.

Work is currently in progress to assure that a universal method of acquiring patient permission for release of their information is part of any HIE. Such a method would undoubtedly allow a patient to specify providers to whom their treatment and diagnosis information can be released and any providers to whom it cannot be released. But what happens when a patient changes their mind?

Here’s a hypothetical example that jumps into the future by a few years, when all or most healthcare providers have EMRs and are connected into their regional HIEs.

John D. is admitted to the Emergency Room of a local hospital after a panic attack that he interprets as a heart attack. Among the papers that he signs is a release for the ER to access any information in the regional HIE about his health conditions. Since he is not thinking very clearly as he is sure he is dying from a heart attack, he signs everything put in front of him. After he is medicated, stabilized and sent home, he wonders about what he signed and which of his health information will now be available to whom. Does he really want his optometrist to know that he was treated with an anti-anxiety medication and prescribed an antidepressant (which he decided not to take)? Is it necessary for his urologist to have this information? What does he do to protect just that ER visit information and keep it from being sent on to other providers?

And what do our mental health and substance abuse patients do to secure their sensitive information?

This process concerns me because of my experience that once a piece of information has been entered into some large electronic database, getting it out may be near to impossible. Several years ago, I attended a conference in New Jersey. I rented a car, drove to the city in which the conference was held, returned the car and paid my bill in a timely fashion, and returned home.

The next time I needed to rent a car was three months after Katrina flooded New Orleans when my mother and I returned to check on her home and attend the funeral of one of my uncles. For some reason, the car was reserved in my mother’s name…the airline tickets were purchased with her card…even though I had placed my name on everything. The rental agency manager noticed something wrong when we picked up the car; there was a block on my account even though there was no balance. She overrode the block, gave me the keys to the car, and we were on our way. I did not give it another thought.

In several return visits to New Orleans, I again rented cars from the same company and always wound up with a car, not even knowing there continued to be a block on my account. Each time the agent or manager overrode the hold and gave me the keys. In November 2010, we arrived in New Orleans on a Sunday. The agent and assistant manager decided they did not have the authority to override the block on my account and there was no one they could contact to clear it. They refused to rent a car to me and offered no solution. They gave me a phone number I could call on Monday, but did not even offer my 90 year old mother and me transportation to another agency. I cursed and swore I would never rent from their unprofessional agency again and called my brother to come pick us up. Fortunately, he was thinking clearly enough to suggest that we go across the highway to a different company and rent a car there.

I did call the company the next day and eventually got the written apology and clearance of my account that I requested. It took six years for this correction of an error to happen.

What processes will we insist be put in place to assure that patients can change their minds about release of information or correct errors or enter corrected information into their records? What kind of advocacy will be required? What do mental health and substance abuse providers need to do to assure that the privacy of their patients’ sensitive information will be handled as they choose?

Please share your thoughts about HIE and EMRs and where we are going with this process.

Data Safety, Consent to Release, and EMRs

According to a June 14, 2011 report by Government Health IT News, consumers’ confidence in the safety of their data in electronic health records (EHRs) is a prerequisite to the successful adoption of electronic means of recording and sharing health records. So says Dixie Baker, chair of advisory Health IT Standards Committee’s privacy and security workgroup and senior vice president and chief technology officer for health solutions for SAIC. Feeling assured that their information is safe and secure and going only where it is supposed to go will allow the public to support their health care providers in moving to electronic medical records (EMRs).

In fact, Government Health IT News reported on June 24 that the Office of the National Coordinator for Health IT (ONC) plans to contract with a vendor “to explore and evaluate methods to electronically obtain and record from patients their informed consent about sharing their health data.” The solicitation focuses heavily on the matter of educating patients about disclosure and consent for release of information.

In substance abuse and behavioral health settings, requirements beyond those encoded by HIPAA and HITECH are mandated in federal and state laws. 42 CFR Part 2 applies to any provider or provider organization holding itself out as a provider of alcohol or drug abuse treatment and to federally assisted alcohol or drug abuse programs. Special “handling” of the record is required, especially when it comes to re-release of the information obtained. It is not acceptable for a provider to receive information from an alcohol abuse program, incorporate it into their EMR and then release it on to other providers of the patient, without the specific consent of the patient.

The legal complexities are immense. Members of the Software and Technology Vendors Association (SATVA) who work with these issues all the time, have been wrestling with the kind of consent that could be used to disclose records and appropriately specify the degree to which such disclosure is authorized by the patient. Anasazi Software has shared a memorandum of understanding about privacy and security issues related to health information exchange (HIE) in California drafted at their expense. California and some other states have even more restrictive laws than 42 CFR Part 2.

The conclusions in this document lead SATVA members Anasazi Software, Valley Hope Association, and Sequest Technologies to work together to develop and demonstrate to SAMHSA a solution for managing automated electronic health information disclosure. The standardized consent for health information disclosure that they developed could go a long way toward assuring consumer control of their record, at least as that record is represented by the Continuity of Care Document (CCD).

This kind of cooperative effort is one of many reasons of why we at Synergistic Office Solutions are proud to be members of SATVA.

Psychologists and EMR: Movement forward

Last week I attended a continuing education workshop for psychologists at my local chapter of the Florida Psychological Association. Psychological Records: Basic Requirements and the (Forced?) Choice of EMRs was presented by Robert J. Porter, Ph.D., president of the Tampa Bay chapter and treasurer of Florida Psychological Association. Dr. Porter’s presentation was attended by about 30 psychologists and other mental health providers. The last FPA workshop on EMRs that I attended was over 10 years ago, and it was given by me. There were about five psychologists present at that workshop.

The difference in attendance speaks to multiple issues. First, Dr. Porter is an excellent presenter who talked broadly about EMRs. His years as a researcher and university professor combined with recent years in private practice give him great credibility. Secondly, the EMR landscape has changed hugely in the past decade with government requirements to migrate patient records to an EMR a distinct possibility.

The psychologists who are my age peers who used an EMR  loved computers and liked doing all their work there. Most of our age-mates would never have considered keeping records that could not be locked up in a file cabinet behind their locked office door. The younger psychologists who are now replacing us in the private practice community are not only willing to consider keeping their records electronically. . . they are willing to keep them online using a Software as a Service (SaaS) type product. The move from needing to hold the patient record in my hot little hands to allowing it to float out there in the cloud is a sea change.

While Dr. Porter presented a great deal of information in the two hours he spoke, there were several items I thought you might find interesting.

  1. The American Psychological Association published Record Keeping Guidelines in the December 2007 issue of the American Psychologist. If you are a psychologist and you keep records, you should read them. If you keep behavioral health records but are not a psychologist, you might take a look at them. Such Guidelines frequently become part of the standard of care in a professional community.
  2. The APA Guidelines recommend disclosure to the patient of your record keeping procedures, including the limitations of confidentiality of the records. Those limitations of confidentiality lead to a likely need to maintain a separate  record of care for each person you treat, including for each individual member of a family or couple. (Guideline 4)
  3. Ofer Zur, Ph.D., a licensed psychologist in California, offers extensive information about and continuing education on record keeping and many other aspects of behavioral health practice. [Retrieved 4/19/2011 from http://www.zurinstitute.com/recordkeepingguidelines.html.]
  4. Dr. Zur points out that a treatment plan usually includes problems or symptoms, a diagnosis, goals of treatment, interventions to be used to achieve the goals, and the rationale for use of those interventions.


I would add a quick note about the possibility of a requirement to keep records of psychological care in an EMR. At present, the only behavioral health providers who are Eligible Providers (EP) for ARRA funding to purchase an EMR are psychiatrists and nurse practitioners. Psychologists, social workers, mental health counselors and addiction professionals do not qualify, nor do psychiatric hospitals. While this may change, there is currenly no way for most mental health providers to obtain stimulus funds. At the same time, there is no requirement for them to move to an EMR, nor will they be penalized for not doing so (psychiatrists and nurse practitioners may be subjected to Medicare withholds). Fortunately, most of the products aimed at the private mental health practitioner are relatively inexpensive and can easily be obtained without resorting to government funding or a second mortgage on your house.

While an electronic medical record can be a powerful way to significantly increase the quality of the records maintained by you and your organization, you must know what you are required to maintain in the record. . . by the governmental jurisdictions and the professional guidelines to which you are subject.

How does your organization determine what goes in the client’s record? Who is responsible for those records? Are you using an EMR, a paper record, or some hybrid system?

Please share your thoughts on records in the Comments below.

Your Health Information: Where do you want it?

My extreme concern about data protection and privacy have made me wonder how effective the drive to electronic medical records (EMRs) will be, particularly in the behavioral health arena. My clearest recollections from the first day of my psychology internship at a community mental health center are all of the instructions related to protecting patient privacy. As a mental health software vendor, I have continued to have this strong drive to protect the data of any patient. Finally, HIPAA and HITECH have caught up with the concerns of those of us trained to put patient privacy protection ahead of most other concerns.

The rush to EMRs that can share information with one another (interoperability) has as its goal diminished costs and increased quality of health care. The need to keep that information secure and private is usually dealt with almost as a side issue. I have often heard statements like these: “Why, of course the data will be protected. Why are you so worried about keeping data private? Sharing it with other providers is much more important than privacy. Some compromises will need to be made . . . ”

The American Medical Association, in their discussion of patient confidentiality, briefly indicate their concerns about EMRs.

Electronic health information systems allow increased access and tranmission [sic] to health data.  Physicians in integrated delivery systems or networks now have access to the confidential information of all the patients within their system or network. Confidential information also is disseminated through clinical repositories and shared databases. Sharing this information allows patients to be treated more efficiently and safely. The challenge for physicians is to utilize this technology, while honoring and respecting patient confidentiality.

Sharing confidential information among treating professionals is only one aspect of this issue. Now we must consider to the issue of sharing the electronic data with the patient.  

According to John Fully on nextgov, patients want access to the information stored in the electronic records about them maintained by their physicians. 93% of patients have rarely or never asked their physicians for electronic copies of their data, but 70% say it is very important to them that doctors and hospitals provide those electronic records. 60% of patients and over half of physicians say sharing information from EMRs with patients will be a crucial measure of how successful health care reform and provision of stimulus dollars has been.

One potential method for sharing those electronic records is the Personal Health Record (PHR). After all, having an electronic copy of the physician’s record but having no way to store or to access it will not be a very beneficial state. As a result, provider organizations, payers, and even Medicare have begun to connect EMRs, claim histories, and PHRs as an effective way of tracking your health.

Even so, patients are hesitant.

. . . while the products use some of the same technology that banks use to secure financial data, some patients remain wary of putting health information online. Only about 4% of the online population uses Internet-based PHRs, according to Elizabeth W. Boehm, a principal analyst at Forrester Research Inc. in Cambridge, Mass. Many people don’t see the need, Ms. Boehm says, while others are nervous about putting confidential health information online.

That figure is telling. It is not that only 4% of patients use a PHR . . . only 4% of the online pupulation uses one . . . only 4% of the people who use the Internet all the time utilize an online PHR.

I have registered for the PHR used by my insurer. The Privacy policy says all the right things. I have entered some information into it, but I am still hesitant to put everything there. The conventional wisdom is that these programs are secure. I’ll give you an example of why I am slow to completely adopt.

About 18 months ago, I noticed that one of my mother’s physician claims was rejected by her Medicare supplemental plan. When I looked at the EOB more carefully, I noticed that it had been filed on my insurance plan rather than on my mother’s Medicare supplement plan. Since we both have the same insurer, I telephoned, explained what had obviously happened and was assured that it would be corrected. When I checked my PHR today prior to writing this blog, I found that claim still sitting in my record.

I have never been a patient of the physician who filed the claim, so I know he did not file the claim with my insurance information. I am thirty years younger than my mother and my first name does not come close to hers. But the same last name and address resulted in this confusion that has not yet been corrected. I cannot help but wonder what other two bits of information might result in the confusion of something important in my file and that of some stranger. Since this payer automatically adds claim information to the PHR, their system now sees me as the patient of a cardiologist . . . something I have not yet become. I wonder what other data confusions I have in store.

What is your take on PHRs? How do you see them affecting the behavioral health community? Please enter your comments below.

HITECH Act, Psychotherapy Notes and Test Results

I am sure some of you remember that the HITECH portion of the stimulus bill (ARRA) included attempts to strengthen the protection of psychotherapy notes in the new Electronic Medical Records (EMRs). In fact, the Secretary of HHS was instructed by Congress to study whether the protections for psychotherapy notes granted by HIPAA should be extended to psychological testing.

HHS is finally gearing up to begin this study and the Substance Abuse Mental Health Services Administration (SAMHSA) has been tasked with organizing and conducting the study.

September 7, 2010
 The Substance Abuse Mental Health Services Administration (SAMHSA) is conducting a Confidentiality and Privacy Issues Related to Psychological Testing Data study, in close cooperation with the Office for Civil Rights (OCR) pursuant to section 13424 of the Health Information Technology for Economic and Clinical Health (HITECH) Act, a component of the American Recovery and Reinvestment Act (ARRA) (P.L. 111-5). This study is addressing whether the HIPAA Privacy Rule’s special protections relating to the use and disclosure of psychotherapy notes should also be applied to “test data that is related to direct responses, scores, items, forms, protocols, manuals or other materials that are part of a mental health evaluation.”
As part of this study, SAMHSA is hosting public meetings to bring together professionals in the areas of mental health and privacy protection to discuss current practices and the policy implications surrounding this very important issue. The next regional public meeting will be held at the U.S. Department of Health and Human Services Region 5 office in Chicago, Illinois, on October 7, 2010. The details of this meeting, as well as the project staff contact information, are contained in the embedded brochure…. 


Some of the issues that will be addressed are included on page two of the brochure.

  • What  activities  and  information  are  considered  the  “test  data”  that  is  part  of  a  mental health evaluation?  What are the relevant distinctions among test materials, raw data, and reports  or  assessments  with  respect  to  the  level  of  protection  currently  afforded  and/or otherwise necessary?
  • Are  there  circumstances  under  which  test  data  should  be  disclosed  to  third  parties?  Should  the  individual’s  authorization  be  required  prior  to  such  a  disclosure?  To  whom should test data be released?
  • How  would  affording  mental  health  test  data  a  higher  level  of  protection  affect  the workflow  in  medical,  behavioral  health,  or  psychological  practices?  Are  there  any additional  implications  with  respect  to  clinical  integration  efforts  and  the  increasing
    availability of mental health services in general health care settings?

Another regional meeting is planned for Los Angeles in November or December. SAMHSA does not indicate whether others will be held. This is certainly an important opportunity to have your voice heard if you are a practitioner whose primary work is psychological testing, if you are a consumer of services who might want or not want raw test data to be shared among treating professionals without your specific authorization, or if you are a potential recipient of such data.

Is the protection of psychotherapy notes and psychological test data an issue for your practice or organization? What guidelines do you currently follow in determining how such data are released? How would new rules affect you?

Please share your comments below.